This week’s highlights also include Adobe patches, Drupal bugs and fixes from both Oracle and Cisco.
Critical bugs in Drupal
The core product and three contributed modules for the popular open source content management system Drupal contain critical flaws. Drupal said in its advisory that RESTful Web Services, Coder, and Webform Multiple File Upload are installed on up to 10,000 sites, and that administrators should apply the patches to affected sites as soon as possible to avoid the risk of remote code execution. The Drupal Core vulnerability affects version 8.x, and is corrected in version 8.1.7. Drupal says that although the CORE bug does not affect version 7.x, administrators should apply mitigation steps to protect sites from the HTTPoxy flaw, to avoid a remotely exploitable vulnerability.
Apple patches multiple products
Apple has released patches for iTunes, Safari, tvOS, watchOS, iOS, and OS X El Captain. US-CERT reports that some of the vulnerabilities could allow an attacker to take control of an affected system, and advises users to update as soon as possible.
Critical flaw affects all versions of Windows
As part of its monthly Patch Tuesday fixes, Microsoft has released five critical patches, including one affecting all supported versions of Windows that could allow a man-in-the-middle attack and remote code execution due to vulnerabilities in the operation of the Windows Print Spooler. Others affect all supported versions of Microsoft Office that could allow an attacker to seize control of a system if a specially crafted Office file is opened, and yet others hit both the Internet Explorer and Edge browsers. The final Critical update affects Jscript and VBScript, correcting a vulnerability that could allow remote code execution if a user visits a specially crafted website. Five additional updates were rated Important, and as usual, Microsoft distributed the Adobe Flash patches for Windows 8.1, Windows 10, and Windows Server 2012 and up.
Adobe patches flaws in Flash Player, Acrobat, and Reader
In is largest update of the year, Adobe has pushed out patches for 52 critical issues in Flash Player for Windows, Mac, Linux, and ChromeOS, most of which, if exploited, could lead to remote code execution that could allow an attacker to take control of affected systems. It has also released updates for Adobe Acrobat and Adobe Reader, addressing 30 vulnerabilities that could also lead to attackers taking control of a system, and issued a security update for Adobe XMP Toolkit for Java that could lead to information disclosure. Users who have enabled automatic updates for Flash, Acrobat, and Reader will receive their patches automatically; Adobe has provided a download link for the XMP Toolkit fix.
Cisco patches routers
Cisco has issued a pair of patches for Cisco IOS XR for Cisco Network Convergence System 6000 (NCS 6000) Series Routers, and Cisco ASR 5000 Series. The IOS XR flaw is rated High importance, and could result in denial of service, while the ASR5000 fix is rated Medium, and could allow an attacker to read and modify the device configuration. There are no workarounds for either vulnerability.
Oracle corrects 276 vulnerabilities
Oracle has released its July update, which addresses 276 vulnerabilities across multiple product lines including Oracle Database Server, Oracle E-Business Suite, Oracle Industry Applications, Oracle Fusion Middleware, Oracle Sun Products, Oracle Java SE, and Oracle MySQL. The company recommends that users apply the updates as soon as possible, particularly the CPU patches, and notes that while there are workarounds for some of the issues, they should not be considered long-term fixes.
Web server vulnerability affects multiple products
CERT warns that Web servers running in a CGI or CGI-like context may assign client request Proxy header values to internal HTTP_PROXY environment variables, which can be leveraged to conduct man-in-the-middle (MITM) attacks on internal subrequests or to direct the server to initiate connections to arbitrary hosts. Known as HTTPoxy, these flaws are easily exploitable, and CERT recommends that available patches should be applied, or that mitigations described on the HTTPoxy site performed as soon as possible. The Register reports that we can likely expect more reports of vulnerable products as developers check their products for the flaw.
Two million user IDs compromised
Ubuntu reports that its user forum database was breached, and usernames, email addresses and IPs downloaded. Ubuntu says that passwords were not compromised, nor was the code repository accessed.